search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Notify network properties changed for IPConfig updates
[chromium-blink-merge.git] / base / tools_sanity_unittest.cc
blobc03110e24b4965ea89ba117106ef7bf8d48ce9ca
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 //
5 // This file contains intentional memory errors, some of which may lead to
6 // crashes if the test is ran without special memory testing tools. We use these
7 // errors to verify the sanity of the tools.
8
9 #include "base/atomicops.h"
10 #include "base/debug/asan_invalid_access.h"
11 #include "base/debug/profiler.h"
12 #include "base/message_loop/message_loop.h"
13 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
14 #include "base/threading/thread.h"
15 #include "testing/gtest/include/gtest/gtest.h"
16
17 namespace base {
18
19 namespace {
20
21 const base::subtle::Atomic32 kMagicValue = 42;
22
23 // Helper for memory accesses that can potentially corrupt memory or cause a
24 // crash during a native run.
25 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
26 #if defined(OS_IOS)
27 // EXPECT_DEATH is not supported on IOS.
28 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0)
29 #elif defined(SYZYASAN)
30 // We won't get a meaningful error message because we're not running under the
31 // SyzyASan logger, but we can at least make sure that the error has been
32 // generated in the SyzyASan runtime.
33 #define HARMFUL_ACCESS(action,unused) \
34 if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action, \
35 "AsanRuntime::OnError"); }
36 #else
37 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp)
38 #endif // !OS_IOS && !SYZYASAN
39 #else
40 #define HARMFUL_ACCESS(action,error_regexp) \
41 do { if (RunningOnValgrind()) { action; } } while (0)
42 #endif
43
44 void DoReadUninitializedValue(char *ptr) {
45 // Comparison with 64 is to prevent clang from optimizing away the
46 // jump -- valgrind only catches jumps and conditional moves, but clang uses
47 // the borrow flag if the condition is just `*ptr == '\0'`.
48 if (*ptr == 64) {
49 VLOG(1) << "Uninit condition is true";
50 } else {
51 VLOG(1) << "Uninit condition is false";
52 }
53 }
54
55 void ReadUninitializedValue(char *ptr) {
56 #if defined(MEMORY_SANITIZER)
57 EXPECT_DEATH(DoReadUninitializedValue(ptr),
58 "use-of-uninitialized-value");
59 #else
60 DoReadUninitializedValue(ptr);
61 #endif
62 }
63
64 void ReadValueOutOfArrayBoundsLeft(char *ptr) {
65 char c = ptr[-2];
66 VLOG(1) << "Reading a byte out of bounds: " << c;
67 }
68
69 void ReadValueOutOfArrayBoundsRight(char *ptr, size_t size) {
70 char c = ptr[size + 1];
71 VLOG(1) << "Reading a byte out of bounds: " << c;
72 }
73
74 // This is harmless if you run it under Valgrind thanks to redzones.
75 void WriteValueOutOfArrayBoundsLeft(char *ptr) {
76 ptr[-1] = kMagicValue;
77 }
78
79 // This is harmless if you run it under Valgrind thanks to redzones.
80 void WriteValueOutOfArrayBoundsRight(char *ptr, size_t size) {
81 ptr[size] = kMagicValue;
82 }
83
84 void MakeSomeErrors(char *ptr, size_t size) {
85 ReadUninitializedValue(ptr);
86
87 HARMFUL_ACCESS(ReadValueOutOfArrayBoundsLeft(ptr),
88 "2 bytes to the left");
89 HARMFUL_ACCESS(ReadValueOutOfArrayBoundsRight(ptr, size),
90 "1 bytes to the right");
91 HARMFUL_ACCESS(WriteValueOutOfArrayBoundsLeft(ptr),
92 "1 bytes to the left");
93 HARMFUL_ACCESS(WriteValueOutOfArrayBoundsRight(ptr, size),
94 "0 bytes to the right");
95 }
96
97 } // namespace
98
99 // A memory leak detector should report an error in this test.
100 TEST(ToolsSanityTest, MemoryLeak) {
101 // Without the |volatile|, clang optimizes away the next two lines.
102 int* volatile leak = new int[256]; // Leak some memory intentionally.
103 leak[4] = 1; // Make sure the allocated memory is used.
104 }
105
106 #if (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) || defined(SYZYASAN)
107 // Because iOS doesn't support death tests, each of the following tests will
108 // crash the whole program under Asan. On Windows Asan is based on SyzyAsan; the
109 // error report mechanism is different than with Asan so these tests will fail.
110 #define MAYBE_AccessesToNewMemory DISABLED_AccessesToNewMemory
111 #define MAYBE_AccessesToMallocMemory DISABLED_AccessesToMallocMemory
112 #else
113 #define MAYBE_AccessesToNewMemory AccessesToNewMemory
114 #define MAYBE_AccessesToMallocMemory AccessesToMallocMemory
115 #define MAYBE_ArrayDeletedWithoutBraces ArrayDeletedWithoutBraces
116 #define MAYBE_SingleElementDeletedWithBraces SingleElementDeletedWithBraces
117 #endif
118
119 // The following tests pass with Clang r170392, but not r172454, which
120 // makes AddressSanitizer detect errors in them. We disable these tests under
121 // AddressSanitizer until we fully switch to Clang r172454. After that the
122 // tests should be put back under the (defined(OS_IOS) || defined(OS_WIN))
123 // clause above.
124 // See also http://crbug.com/172614.
125 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
126 #define MAYBE_SingleElementDeletedWithBraces \
127 DISABLED_SingleElementDeletedWithBraces
128 #define MAYBE_ArrayDeletedWithoutBraces DISABLED_ArrayDeletedWithoutBraces
129 #endif
130 TEST(ToolsSanityTest, MAYBE_AccessesToNewMemory) {
131 char *foo = new char[10];
132 MakeSomeErrors(foo, 10);
133 delete [] foo;
134 // Use after delete.
135 HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
136 }
137
138 TEST(ToolsSanityTest, MAYBE_AccessesToMallocMemory) {
139 char *foo = reinterpret_cast<char*>(malloc(10));
140 MakeSomeErrors(foo, 10);
141 free(foo);
142 // Use after free.
143 HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
144 }
145
146 TEST(ToolsSanityTest, MAYBE_ArrayDeletedWithoutBraces) {
147 #if !defined(ADDRESS_SANITIZER) && !defined(SYZYASAN)
148 // This test may corrupt memory if not run under Valgrind or compiled with
149 // AddressSanitizer.
150 if (!RunningOnValgrind())
151 return;
152 #endif
153
154 // Without the |volatile|, clang optimizes away the next two lines.
155 int* volatile foo = new int[10];
156 delete foo;
157 }
158
159 TEST(ToolsSanityTest, MAYBE_SingleElementDeletedWithBraces) {
160 #if !defined(ADDRESS_SANITIZER)
161 // This test may corrupt memory if not run under Valgrind or compiled with
162 // AddressSanitizer.
163 if (!RunningOnValgrind())
164 return;
165 #endif
166
167 // Without the |volatile|, clang optimizes away the next two lines.
168 int* volatile foo = new int;
169 (void) foo;
170 delete [] foo;
171 }
172
173 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
174
175 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) {
176 // Intentionally crash to make sure AddressSanitizer is running.
177 // This test should not be ran on bots.
178 int* volatile zero = NULL;
179 *zero = 0;
180 }
181
182 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) {
183 // Intentionally crash to make sure AddressSanitizer is instrumenting
184 // the local variables.
185 // This test should not be ran on bots.
186 int array[5];
187 // Work around the OOB warning reported by Clang.
188 int* volatile access = &array[5];
189 *access = 43;
190 }
191
192 namespace {
193 int g_asan_test_global_array[10];
194 } // namespace
195
196 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) {
197 // Intentionally crash to make sure AddressSanitizer is instrumenting
198 // the global variables.
199 // This test should not be ran on bots.
200
201 // Work around the OOB warning reported by Clang.
202 int* volatile access = g_asan_test_global_array - 1;
203 *access = 43;
204 }
205
206 TEST(ToolsSanityTest, AsanHeapOverflow) {
207 HARMFUL_ACCESS(debug::AsanHeapOverflow() ,"to the right");
208 }
209
210 TEST(ToolsSanityTest, AsanHeapUnderflow) {
211 HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "to the left");
212 }
213
214 TEST(ToolsSanityTest, AsanHeapUseAfterFree) {
215 HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free");
216 }
217
218 #if defined(SYZYASAN)
219 TEST(ToolsSanityTest, AsanCorruptHeapBlock) {
220 HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), "");
221 }
222
223 TEST(ToolsSanityTest, AsanCorruptHeap) {
224 // This test will kill the process by raising an exception, there's no
225 // particular string to look for in the stack trace.
226 EXPECT_DEATH(debug::AsanCorruptHeap(), "");
227 }
228 #endif // SYZYASAN
229
230 #endif // ADDRESS_SANITIZER || SYZYASAN
231
232 namespace {
233
234 // We use caps here just to ensure that the method name doesn't interfere with
235 // the wildcarded suppressions.
236 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate {
237 public:
238 explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {}
239 virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {}
240 virtual void ThreadMain() OVERRIDE {
241 *value_ = true;
242
243 // Sleep for a few milliseconds so the two threads are more likely to live
244 // simultaneously. Otherwise we may miss the report due to mutex
245 // lock/unlock's inside thread creation code in pure-happens-before mode...
246 PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
247 }
248 private:
249 bool *value_;
250 };
251
252 class ReleaseStoreThread : public PlatformThread::Delegate {
253 public:
254 explicit ReleaseStoreThread(base::subtle::Atomic32 *value) : value_(value) {}
255 virtual ~ReleaseStoreThread() {}
256 virtual void ThreadMain() OVERRIDE {
257 base::subtle::Release_Store(value_, kMagicValue);
258
259 // Sleep for a few milliseconds so the two threads are more likely to live
260 // simultaneously. Otherwise we may miss the report due to mutex
261 // lock/unlock's inside thread creation code in pure-happens-before mode...
262 PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
263 }
264 private:
265 base::subtle::Atomic32 *value_;
266 };
267
268 class AcquireLoadThread : public PlatformThread::Delegate {
269 public:
270 explicit AcquireLoadThread(base::subtle::Atomic32 *value) : value_(value) {}
271 virtual ~AcquireLoadThread() {}
272 virtual void ThreadMain() OVERRIDE {
273 // Wait for the other thread to make Release_Store
274 PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
275 base::subtle::Acquire_Load(value_);
276 }
277 private:
278 base::subtle::Atomic32 *value_;
279 };
280
281 void RunInParallel(PlatformThread::Delegate *d1, PlatformThread::Delegate *d2) {
282 PlatformThreadHandle a;
283 PlatformThreadHandle b;
284 PlatformThread::Create(0, d1, &a);
285 PlatformThread::Create(0, d2, &b);
286 PlatformThread::Join(a);
287 PlatformThread::Join(b);
288 }
289
290 #if defined(THREAD_SANITIZER)
291 void DataRace() {
292 bool *shared = new bool(false);
293 TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(shared), thread2(shared);
294 RunInParallel(&thread1, &thread2);
295 EXPECT_TRUE(*shared);
296 delete shared;
297 // We're in a death test - crash.
298 CHECK(0);
299 }
300 #endif
301
302 } // namespace
303
304 #if defined(THREAD_SANITIZER)
305 // A data race detector should report an error in this test.
306 TEST(ToolsSanityTest, DataRace) {
307 // The suppression regexp must match that in base/debug/tsan_suppressions.cc.
308 EXPECT_DEATH(DataRace(), "1 race:base/tools_sanity_unittest.cc");
309 }
310 #endif
311
312 TEST(ToolsSanityTest, AnnotateBenignRace) {
313 bool shared = false;
314 ANNOTATE_BENIGN_RACE(&shared, "Intentional race - make sure doesn't show up");
315 TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(&shared), thread2(&shared);
316 RunInParallel(&thread1, &thread2);
317 EXPECT_TRUE(shared);
318 }
319
320 TEST(ToolsSanityTest, AtomicsAreIgnored) {
321 base::subtle::Atomic32 shared = 0;
322 ReleaseStoreThread thread1(&shared);
323 AcquireLoadThread thread2(&shared);
324 RunInParallel(&thread1, &thread2);
325 EXPECT_EQ(kMagicValue, shared);
326 }
327
328 } // namespace base